ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Cloud-Native & Supply-Chain Threat Actors
Modern adversaries targeting cloud identity infrastructure through API-driven, identity-centric attack patterns. Unlike traditional APT or ransomware operators, these actors weaponize OAuth flows, CI/CD pipelines, and federation trust chains—operating without malware through pure identity abuse.
Cloud-Native Intrusion
Groups exploiting native cloud identity primitives and API-driven authentication mechanisms
Supply-Chain Compromise
Actors manipulating identity trust paths through vendor and integration targeting
DevOps Identity Abuse
Operators compromising CI/CD pipelines and automation service principals
OAuth Pivoting
Specialists in SaaS-to-cloud lateral movement via consent manipulation

Critical distinction: These threat actors operate entirely within identity layers. Detection requires identity telemetry—endpoint tools are largely ineffective against API-driven, token-based operations.
OAuth Token Abuse & Consent Manipulation
Adversaries weaponize OAuth authorization flows to achieve full account takeover without credential theft. By exploiting consent mechanisms and OIDC scope escalation, attackers gain persistent access to SaaS applications and cloud resources through malicious OAuth applications and rogue third-party integrations.
Primary Attack Vectors
  • Malicious OAuth application registration with deceptive consent prompts
  • Consent phishing campaigns targeting high-privilege users
  • OIDC scope privilege escalation via overpermissioned grants
  • Rogue third-party integration abuse for lateral movement
BP-026
OAuth Consent Phishing
BP-030
Scope Escalation
Full SaaS and cloud account takeover achieved without traditional password compromise—pure identity protocol abuse.
CI/CD Pipeline & Machine Identity Compromise
1
Pipeline Entry
Compromise GitHub Actions, Azure DevOps, GitLab Runners, or deployment service principals through credential exposure or workflow manipulation.
2
Privilege Escalation
Steal service principal secrets, modify CI workflows, and inject malicious build steps. Exploit overprivileged automation accounts and non-rotated API keys.
3
Cloud Pivot
Leverage pipeline access to pivot into production cloud environments, artifact registries, and deployment targets with elevated permissions.
CI/CD Targets
  • GitHub Actions workflows
  • Azure DevOps pipelines
  • GitLab CI/CD runners
  • Deployment service principals
  • Container registries
Machine Identity Abuse
  • Long-lived access tokens
  • Embedded credentials in code
  • Non-rotated API keys
  • Overprivileged automation
Mapped Patterns
BP-033: Pipeline compromise
BP-037: DevOps identity theft
BP-047: Artifact manipulation
BP-034/35: Machine identity escalation
Supply-Chain & Cross-Tenant Identity Pivoting
Supply-Chain Manipulation
Rather than direct breach, adversaries compromise upstream trust relationships. They target vendors, SaaS integrations, managed identity providers, and plugin ecosystems to manipulate identity trust chains including federations, SSO IdPs, SCIM provisioning, and delegated API permissions.
Vendor Compromise
Third-party provider breach cascading to downstream customers
Plugin Injection
Malicious code in trusted extensions and integrations
Federation Abuse
SSO and SCIM trust relationship exploitation
Maps to: BP-040, BP-045, BP-046
Cross-Tenant Pivoting
Cloud-native actors chain identity trust relationships across organizational boundaries. They exploit misconfigured multi-tenant applications, excessive app roles, and inconsistent conditional access policies to achieve token replay across tenants.
01
Azure AD to partner tenant traversal
02
SaaS to Azure to AWS cloud chaining
03
CI/CD to cloud admin escalation
04
OIDC to cloud RBAC role activation
Maps to: BP-040
Token Replay & Identity Persistence
Token Replay Operations
Access tokens, refresh tokens, session cookies, and OAuth authorization codes become primary attack primitives. Replay enables lateral movement, privilege escalation, persistence, and exfiltration without credential reuse.
Patterns: BP-027, BP-028, BP-029
Invisible Persistence
Adversaries establish persistence through identity mechanisms rather than traditional implants: hidden service principal credentials, bypassed secret rotations, rogue OAuth grants, and dormant but trusted identities.
Patterns: BP-041 through BP-046
Identity Attack Chain Alignment
1
Stage 2
Identity Enumeration
2
Stage 3
Token Acquisition
3
Stage 4
Authentication Abuse
4
Stage 5
Privilege Escalation
5
Stage 6
Token Tampering
6
Stage 7
Cloud Lateral Movement
7
Stage 8
Identity Persistence
8
Stage 9
Exfiltration/Impact
Detection & Defense Framework
IMU Weakness Categories
  • Federation trust misconfiguration
  • Cloud IAM policy gaps
  • DevOps identity security
  • Machine identity lifecycle
  • Session and token governance
  • Third-party integration controls
ITDLL Detection Patterns
  • Anomalous OAuth consent events
  • Unauthorized automation identity creation
  • Non-interactive sign-ins from unusual apps
  • API token replay indicators
  • Cross-cloud privilege activation
  • Long-lived refresh token anomalies
Core Principle
Identity is not a component of the attack. Identity is the attack.
These adversaries weaponize APIs, trust relationships, OAuth flows, CI/CD pipelines, and federation configurations—representing the modern identity supply-chain threat landscape.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.